| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
•
Attendances (hr_attendance)
• Discuss (mail) • Employees (hr) |
| Community Apps Dependencies | Show |
| Lines of code | 3205 |
| Technical Name |
eh_hr_attendance_geofence |
| License | LGPL-3 |
| Website | https://www.erpheritage.com.au/ |
| Versions | 16.0 17.0 18.0 19.0 |
Mobile Geofence Clock-in
Pair a phone once, then clock in from a web page the server gates by GPS distance to your sites.
Why this module
Mobile Geofence Clock-in
Workers who skip the kiosk
Field crews, drivers, trades on the road, and agreed work-from-home staff whose hours still need a location anchor at the moment they clock on.
SMS time sheets or a tracking SaaS
No free-text hours texted to a supervisor, no app-store rollout, no MDM, and no per-seat cloud that streams a worker's GPS all day.
The data on your server
Coordinates land in your Odoo, the distance check runs server-side, and every pass and fail is written to the suite kiosk audit you already own.
Day in the life
A field worker arrives on site, clocks in from the ute, gets on with it.
HR opens the employee record, clicks Issue mobile pairing PIN, and reads the six digits to the worker. The worker opens the mobile shell on their handset, enters the PIN, and the server expires any prior PIN, redeems this one atomically, and returns a token bound to that employee. From then on one tap asks the browser for location once, posts the token plus coordinates, and the server measures the distance to every active site in the worker's company. Inside any radius the attendance row is created on the way in and closed on the way out. Outside, the clock is refused and a geofence violation lands in the audit. No background tracking, no app install.
Edge cases
The cases most modules quietly ignore.
In the shipped code today, each one a place where a cheaper module silently does the wrong thing.
The pairing PIN is redeemed atomically against a persistent row and marked used before the token is returned, so a replay or a double-tap cannot pair one PIN to two devices. Issuing a fresh PIN expires any prior active one for that employee.
The public pair, clock, and whoami routes are rate limited per IP and per token through a DB-backed counter that uses an atomic upsert with RETURNING, so two workers racing the same bucket cannot both read a stale count. Limits hold across a restart and across workers, unlike a process-global dict. Over budget returns HTTP 429.
If an employee requires geofence and the browser sends no coordinates, the clock is refused with reason geofence_required and a geofence_fail event is logged, rather than silently creating an unverified row.
When no site is within range the closest distance is recorded to the audit for forensic context, a geofence_fail event is logged, and a geofence_violation exception is raised into the suite exception model.
Untick Require mobile geofence for a genuine off-site role and the distance gate is skipped, but the clock still records device last-seen, IP, user agent, and last lat and lng for visibility. Default is on.
Device and pairing rows carry the employee's company and a global record rule scopes them to the user's allowed companies. Regular users see only their own device, managers and auditors get the wider view per the access matrix. The geofence check only considers sites in the employee's own company.
Revoke deactivates the device and the bookmark stops working at the next request. Rotate token reissues a unique token and invalidates the old one, both guarded by a unique constraint on the token column.
A daily cron expires lapsed PINs and unlinks terminal pairing rows older than a day so the table stays small, isolated from the clock path so housekeeping never blocks a worker clocking on.
What is inside
Built to do the job, end to end.
- Persistent one-shot pairing PIN. eh.hr.mobile.pairing issues a six-digit PIN with a five-minute TTL, one live PIN per employee, redeemed atomically and marked used so it cannot be reused. The PIN is collision-checked against active rows on generation.
- Employee-bound device token. eh.hr.mobile.device holds a 256-bit opaque token from secrets.token_urlsafe, unique-constrained, rotatable and revocable, with tracked last-seen, last IP, user agent, and last latitude and longitude.
- Server-side haversine geofence. The clock endpoint reads every active, geofence-enabled site in the employee's company and accepts the request if the device is inside any site's radius, returning the matched site and the measured distance.
- Site radius override, company default. Each site can declare its own radius; otherwise the company-level default applies. Tighten a city site and loosen a sprawling depot without touching code.
- No-install mobile shell. A vanilla-JS check-in and check-out page served at the mobile route, no Odoo web framework dependency, so it runs on locked-down corporate browsers and basic Android and iOS WebViews. The worker bookmarks it to the home screen.
- Pass and fail audit trail. Device registration, geofence pass, geofence fail, and each attendance in and out are written to the suite kiosk event log with the distance, the site, and the device, and violations also raise an attendance exception.
- Record-rule security matrix. Per-company global rule plus own-only read for users, full visibility for managers and auditors, and a CSV access matrix across user, manager, admin, and auditor groups for both the device and pairing models.
Honest about the edges
What this does not do, so nothing surprises you.
- Browser geolocation can be spoofed with developer tools or rooted hardware, so this gives rough hours-and-location assurance, not tamper-proof identity. For higher assurance pair it with a face-match kiosk at the depot.
- Identity is bound to the device pairing only. There is no face capture or biometric on the mobile path in this module.
- Location is sampled at the two clock moments only. There is no continuous tracking, route history, or breadcrumb trail by design.
- The geofence check only considers sites that have geofence enabled with valid coordinates set in the attendance base module. A site with no coordinates is not a fence.
- Distance uses the device's reported coordinates and accuracy. Indoor or poor-signal GPS can read tens of metres off, so set radii with that headroom in mind.
- This module depends on the ERP Heritage attendance base and core modules and the standard hr_attendance app; it is not a standalone attendance system.
odoo mobile attendance, gps geofence attendance, geofence clock in odoo, field worker time tracking, remote clock in odoo, mobile clock in clock out, haversine geofence, odoo 16 attendance, no app attendance, home based attendance, kiosk attendance suite, employee location verification
Need this fitted to the way you work?
ERP Heritage delivers end to end Odoo work: Odoo Implementation, Customization and Development, Integration, Migration, Consultation, Support and Training. We help teams put this module into production, shape it to their process, and keep it running.
We work with businesses across Australia (Melbourne, Sydney, Brisbane, Perth, Adelaide, Canberra) and the Middle East (Dubai, Abu Dhabi, Riyadh, Jeddah, Doha, Kuwait City, Muscat). Start a conversation at erpheritage.com.au or email info@erpheritage.com.au.
Languages
Available in 19 languages
The interface ships translated out of the box. Switch language in Odoo and the fields, menus, and messages follow.
Please log in to comment on this module